Please help generating master password hash in server db to retrieve wife's lost password

nozza87 · June 9, 2023, 9:43pm

I posted to Reddit but thought I’d post here too.

Hi, please direct me somewhere else if this isn’t the place to ask.

My wife had to change phones and can’t get into vaultwarden as her master password is wrong.
The hint verifies she has the correct password but she must’ve substituted a numerical / alpha swap differently and can’t work it out due to rate limiting.
I understand the importance of this password and she shouldn’t have forgot it or at least have it saved somewhere but here we are.

Anyway my question is seeing as I’m the administrator and have full access to the DB can I try to brute force her password against whatever value in the DB directly to avoid rate limits as I know the letters numbers and length used for the password just not the correct substitutions?

If so to save me reading the source code to find out what is the correct format to generate the password hash and which value in the DB do I compare it to to confirm its correct.

I am fine with writing my own script to do this I just need the finer details of what exactly I need to do
My server at the time of password creations / last change is Version 2022.10.1.

Thank you.

UPDATE:
So I tried a few things and they either didn’t work or were too slow but I’m close to a solution. (I have to brutes force around 500,000 password attempts to get back in so I want to compute directly against the master_password_hash)

If you go to Bitwarden Crypto and leave the default values then run the following python 3 script you will see the hashes match therefore I am computing them correctly as per the local / Bitwarden client.

The problem I have is I exported my ‘db.sqlite3’ from vaultwarden and extracted the ‘salt’ and ‘password_hash’ for my account but when I enter my correct login details and the db data into my python script the first two hashes (local / bitwarden client) match but the third hash (server / vaultwarden) doesn’t match.

My iterations all match my settings (100,000) so I cannot see where I am going wrong.

Anyone know what I should be doing for the server side hash calculation so it matches the db?

The official flow for all of this is on the bitwarden GitHub under help/master/images/security-white-paper/bitwarden-password-hashing-key-derivation-encryption.png
(Sorry as a new user, I couldn’t post the link)

Python Code here as couldn’t get it to inline: import hmacimport hashlibimport structimport base64def pbkdf2(digestmo - Pastebin.com

BlackDex · June 9, 2023, 10:26pm

If you use Vaultwarden, then i suggest to increase the rate limiting threshold and brute force instead of trying to generate the hash stored in the database.

The hash generated by the Bitwarden clients isn’t the same as what is stored in the database. If you are using the latest stable Vaultwarden, then it runs a PBKDF of 600_000 over the received hash before it stores it into the database.

But, as mentioned, i suggest to increase the rate limiting threshold.

github.com

dani-garcia/vaultwarden/blob/adf67a8ee887d21e104adfa8b6521d7971f5a1f1/.env.template#L333..L337


      
          ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
          # DOMAIN=https://vw.domain.tld:8443
          
          
## Allowed iframe ancestors (Know the risks!)
          ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
          ## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
          ## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
          ## Multiple values must be separated with a whitespace.
          # ALLOWED_IFRAME_ANCESTORS=
          
          
## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
          # LOGIN_RATELIMIT_SECONDS=60
          ## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
          ## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
          # LOGIN_RATELIMIT_MAX_BURST=10
          
          
## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
          # ADMIN_RATELIMIT_SECONDS=300
          ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
          # ADMIN_RATELIMIT_MAX_BURST=3

nozza87 · June 10, 2023, 2:39am

Thank you for the reply.

I understand that the server runs another hash on the master_password_hash before storing it in the database using a salt randomly generated and also stored in the database as per this image:
https://raw.githubusercontent.com/bitwarden/help/master/images/security-white-paper/bitwarden-password-hashing-key-derivation-encryption.png

I have already increased my rate limits to allow me to brute force that way but it is slow due to networks latency and the API requests and all the overheads involved.

Due to the sheer number of attempts I may need I can match a hash much quicker and also push it to my GPU so would prefer that way if possible, worst case I can leave it running via the API for however long it takes.

In my python script I do 100,000 PBKDF then another single PBKDF before then switching to server mode and performing another 100,000 PBKDF which should give me the hash in the db as per the image linked but it doesn’t, is this not possible or where have I gone wrong?

I assume the salt I am using from the db maybe isn’t correct?

I am generating 100,000 as that is what the vaultwarden and bitwarden client settings were when this hash was made.

BlackDex · June 10, 2023, 6:23am

Well, in the database there also is a field which states the amount of iterations the stored password has password_iterations, that should be the correct amount.

Further i suggest to first test it on your own account, not sure if you did that already, but from your story i concluded that you didn’t because you don’t know if you are doing it correctly. So, i would start there.

Also checkout Bitwarden Crypto, which might help in verifying the correct values of each step you took during the separate hashing.

Other than that, there is no magic way to match the hash except for the used password.
It would be easier useless if that was the case of course.

nozza87 · June 10, 2023, 6:30am

Thank you for the help.

Yes I used the password_iterations field to verify my 100,000 iterations is correct.

Also as linked in my first post I used the bitwarden crypto website to confirm my first two generations of the master key and master password are correct.

I used the salt value from the db to generate the final hash which should match the db hash but it doesn’t.

This value isn’t on the bitwarden crypto site so I can’t confirm it that way.

I’ve been testing all of this against a known account before I try on the lost password one.

My problem is I followed the bitwarden client and vaultwarden server source code to get my procedure yet it doesn’t work.
My only unknown is the salt and password hash db entries and why they don’t match when they should.
Unless it’s a language nuance between python and rust I can’t see the problem?

BlackDex · June 10, 2023, 2:43pm

What you are looking for is the following:

github.com

BlackDex/vaultwarden/blob/adf67a8ee887d21e104adfa8b6521d7971f5a1f1/src/db/models/user.rs#L171


      
          ///                       These routes are able to use the previous stamp id for the next 2 minutes.
          ///                       After these 2 minutes this stamp will expire.
          ///
          pub fn set_password(
              &mut self,
              password: &str,
              new_key: Option<String>,
              reset_security_stamp: bool,
              allow_next_route: Option<Vec<String>>,
          ) {
              self.password_hash = crypto::hash_password(password.as_bytes(), &self.salt, self.password_iterations as u32);
          
          
    if let Some(route) = allow_next_route {
                  self.set_stamp_exception(route);
              }
          
          
    if let Some(new_key) = new_key {
                  self.akey = new_key;
              }
          
          
    if reset_security_stamp {

Take a good look at the password, as it is converted to bytes first, so it isn’t the string sent by the clients, but a bytes version of it which is sent to the hashing function.

See: str - Rust for what that function does.
Now, I’,m not sure what the correct Python version would be but this might help.

password = "StringFromClient"
password_bytes = bytes(password,'UTF-8')
# Or
password_bytes = password.encode(encoding = 'UTF-8')

I think that should do the trick, but, I’m also not sure how the Python code you use is working on this.

Also, make sure you use the right Algorithm, see here:

github.com

BlackDex/vaultwarden/blob/adf67a8ee887d21e104adfa8b6521d7971f5a1f1/src/crypto.rs#L9-L19


      
          static DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256;
          const OUTPUT_LEN: usize = digest::SHA256_OUTPUT_LEN;
          
          
pub fn hash_password(secret: &[u8], salt: &[u8], iterations: u32) -> Vec<u8> {
              let mut out = vec![0u8; OUTPUT_LEN]; // Initialize array with zeros
          
          
    let iterations = NonZeroU32::new(iterations).expect("Iterations can't be zero");
              pbkdf2::derive(DIGEST_ALG, iterations, salt, secret, &mut out);
          
          
    out
          }

nozza87 · June 11, 2023, 3:43am

@BlackDex Thank you so much you amazing human!

By saying I needed to convert the string from the client to bytes made me realise that I didn’t have a string from the client.

I missed the return in the hashPassword() function of the client crypto service which is
return Utils.fromBufferToB64(hash);

The key being that the client sends the MasterPasswordHash to the server as a base64 encoded string.

I now am generating a matching hash to the db for my known login, now the brute forcing can finally begin

You have saved me and hopefully I can retrieve all my wife’s passwords and 2 factor keys and this time I will back them up safely.

Thank you again so much.

BlackDex · June 11, 2023, 5:07am

Your welcome!

As a tip, you can add eachother as an emergency contact, that way you can always login into the others account.

nozza87 · June 17, 2023, 1:10pm

UPDATE:

After a few attempts of increasing complexity and generating a password list of over 7 million passwords based on the parts we knew I got a match and my wife now has all her passwords back.

Thanks very much to all involved especially @BlackDex

I will be updating my vaultwarden server asap and adding myself as an emergency contact too.

mike9890 · July 30, 2023, 9:44am

@nozza87 hey sir can you share the entire script to decrypt the password you have shared the file at the top but i dont think it has Utils method. I am a llitte bit confused to start recovering the entire process

nozza87 · April 11, 2024, 6:52am

Sorry for the late reply.

Here are the scripts for anyone interested, hopefully they help others

https://mega.nz/file/V8ADiDLJ#UEPM-yMrbBfXim-7WY2oair6xtGgEcFB3oPlzL13VMg

Topic		Replies	Views
Can't reproduce expected cryptography with vaultwarden Help	11	206	November 8, 2023
Username or password is incorrect. Try again Help	4	603	July 31, 2023
Change DB password Help	4	595	December 13, 2022
Password reprompt? Help	2	289	June 30, 2021
Bitwarden Windows Desktop requiring SSO master password Help	2	202	August 31, 2023

Please help generating master password hash in server db to retrieve wife's lost password

Related Topics